b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                Security Over Databases Could Be Enhanced\n                  to Ensure Taxpayer Data Are Protected\n\n\n                                            May 4, 2011\n\n                              Reference Number: 2011-20-044\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n\n Redaction Legend\n\n 2(f) = Risk Circumvention of Agency Regulation or Statute\n\n\n\n Phone Number | 202-622-6500\n Email Address | TIGTACommunications@tigta.treas.gov\n Web Site      | http://www.tigta.gov\n\x0c                                                   HIGHLIGHTS\n\n\nSECURITY OVER DATABASES COULD                          testing. As a result, the IRS spent more than\nBE ENHANCED TO ENSURE TAXPAYER                         $1.1 million in software licenses and support\nDATA ARE PROTECTED                                     costs for a tool that was not fully implemented.\n                                                       WHAT TIGTA RECOMMENDED\nHighlights                                             TIGTA recommended that the Chief Technology\n                                                       Officer ensure: 1) the security vulnerabilities\nFinal Report issued on May 4, 2011                     identified on databases are remediated;\n                                                       2) explicit management approvals are included\nHighlights of Reference Number: 2011-20-044            in the database configuration building process;\nto the Internal Revenue Service Chief                  3) a strategic plan is developed to address\nTechnology Officer.                                    outdated database versions; 4) outdated\n                                                       databases are upgraded, planned to be\nIMPACT ON TAXPAYERS                                    migrated to newer versions, or properly\n                                                       approved to deviate from existing standards;\nThe Internal Revenue Service (IRS) uses more\n                                                       5) database vulnerability scans are conducted\nthan 2,200 databases to manage and process\n                                                       as required by policies; 6) database vulnerability\nits taxpayer data. Databases are increasingly\n                                                       scans test all high- and medium-risk\nbeing targeted by attackers. When the right\n                                                       configuration settings; and 7) a thorough\ndegree of security diligence is not applied to\n                                                       technical product evaluation is consistently\ndatabases, disgruntled insiders or malicious\n                                                       conducted and documented for the purchase of\noutsiders can exploit security weaknesses over\n                                                       future software products.\ndatabases and may gain unauthorized access to\ntaxpayer data, resulting in identity theft or fraud.   In its response to the report, the IRS agreed with\n                                                       TIGTA\xe2\x80\x99s recommendations. The IRS plans to:\nWHY TIGTA DID THE AUDIT                                1) develop a strategy to ensure vulnerabilities\nThis review was included in TIGTA\xe2\x80\x99s Fiscal             are documented; 2) identify appropriate\nYear 2010 Annual Audit Plan and is part of our         organizations to develop a management\nstatutory requirements to annually review the          approval process to be used in the database\nadequacy and security of IRS information               build and configuration change processes;\ntechnology. This audit also addresses the major        3) develop a strategic plan for obsolescence of\nmanagement challenge of Security of the IRS.           technology, including database version control;\nThe overall objective of this review was to            4) develop a migration plan to upgrade database\ndetermine whether the IRS adequately                   software to supported versions; 5) establish a\nconfigured databases operating in its                  process for conducting monthly scans of\nnon-mainframe production environment to                databases; 6) establish a Memorandum of\nproperly secure taxpayer data.                         Understanding to ensure database vulnerability\n                                                       scans are conducted with the privileges\nWHAT TIGTA FOUND                                       necessary to test all high- and medium-risk\n                                                       database configuration settings; and\nTIGTA found that non-mainframe databases\n                                                       7) create\\designate a location to ensure all\ncontaining taxpayer data were not always\n                                                       Product Evaluation and Selection and testing\nconfigured in a secure manner and that\n                                                       documentation is accessible from a centralized\ndatabases were running out-of-date software\n                                                       location.\nthat no longer received security patches and\nother vendor support.                                  The IRS disagreed with TIGTA\xe2\x80\x99s $1.1 million\n                                                       outcome measure related to the licensing of the\nIn addition, the IRS had not fully implemented its\n                                                       IRS vulnerability scanning tool. TIGTA\nplans to complete vulnerability scans of\n                                                       maintains the appropriateness of the measure.\ndatabases within its enterprise. Also, the IRS\npurchased a database vulnerability scanning\nand compliance assessment tool without the\ncompletion of adequate product evaluation and\n\x0c                                           DEPARTMENT OF THE TREASURY\n                                                WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                             May 4, 2011\n\n\n\n MEMORANDUM FOR CHIEF TECHNOLOGY OFFICER\n\n FROM:                       Michael R. Phillips\n                             Deputy Inspector General for Audit\n\n SUBJECT:                    Final Audit Report \xe2\x80\x93 Security Over Databases Could Be\n                             Enhanced to Ensure Taxpayer Data Are Protected\n                             (Audit # 201020014)\n\n This report presents the results of our review to determine whether the Internal Revenue Service\n (IRS) adequately configured databases operating in its non-mainframe production environment\n to properly secure taxpayer data. This review was included in the Treasury Inspector General for\n Tax Administration Fiscal Year 2010 Annual Audit Plan and is part of our statutory requirements\n to annually review the adequacy and security of IRS information technology. This audit also\n addresses the major management challenge of Security of the IRS.\n Management\xe2\x80\x99s complete response to the draft report is included as Appendix V.\n Copies of this report are also being sent to the IRS managers affected by the report\n recommendations. Please contact me at (202) 622-6510 if you have questions or Alan Duncan,\n Assistant Inspector General for Audit (Security and Information Technology Services), at\n (202) 622-5894.\n\x0c                                      Security Over Databases Could Be Enhanced\n                                        to Ensure Taxpayer Data Are Protected\n\n\n\n\n                                            Table of Contents\n\nBackground .......................................................................................................... Page 1\n\nResults of Review ............................................................................................... Page 2\n          Production Environment Databases Containing\n          Taxpayer Data Were Not Configured in a Secure Manner ........................... Page 2\n                    Recommendation 1:........................................................ Page 4\n\n                    Recommendation 2:........................................................ Page 5\n\n          Production Environment Databases Were Running\n          Out-of-Date Database Software That No Longer\n          Receives Security Patches and Other Vendor Support ................................. Page 5\n                    Recommendations 3 and 4: .............................................. Page 8\n\n          Complete Vulnerability Scans of Databases at the\n          Frequency Required by Agency Standards Were Not\n          Being Conducted ........................................................................................... Page 9\n                    Recommendations 5 through 7:......................................... Page 12\n\n          Other Issues From the Prior Audit Report Were\n          Adequately Addressed .................................................................................. Page 13\n\nApppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................ Page 15\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................ Page 18\n          Appendix III \xe2\x80\x93 Report Distribution List ....................................................... Page 19\n          Appendix IV \xe2\x80\x93 Outcome Measure ................................................................ Page 20\n          Appendix V \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report ....................... Page 21\n\x0c        Security Over Databases Could Be Enhanced\n          to Ensure Taxpayer Data Are Protected\n\n\n\n\n              Abbreviations\n\nACIO    Assistant Chief Information Officer\nDBMS    Database Management System\nIBM     International Business Machines\nIRM     Internal Revenue Manual\nIRS     Internal Revenue Service\nMITS    Modernization and Information Technology Services\nRDBMS   Relational Database Management System\nSQL     Standard Query Language\nTIGTA   Treasury Inspector General for Tax Administration\n\x0c                              Security Over Databases Could Be Enhanced\n                                to Ensure Taxpayer Data Are Protected\n\n\n\n\n                                         Background\n\nData are often referred to as the \xe2\x80\x9ccrown jewels\xe2\x80\x9d of an organization because data represent the\norganization\xe2\x80\x99s core business purpose. Data can consist of customer records, trade secrets,\nbusiness partners, or any other highly sensitive information. For the most part, data in its\nelectronic form are often stored in a database management system (DBMS), which uses standard\nmethods for accepting and managing incoming data, cataloging and storing the data, and\nproviding ways for the data to be modified or extracted by users or other programs. Databases\nare increasingly being targeted by attackers. A 2009 report1 on data breaches cited that\n30 percent of all known security breaches were against databases. This trend was particularly\ndisturbing because when a database was breached, 75 percent of the records were compromised.\nThe Internal Revenue Service (IRS) employs almost 100,000 employees and operates more than\n200 applications to administer our Nation\xe2\x80\x99s tax laws and regulations. The IRS relies on more\nthan 2,200 databases to manage and process data, such as personally identifiable taxpayer\ninformation and sensitive financial/tax information, on its computer systems. Two database\nmanagement software products are primarily used in the IRS\xe2\x80\x99s non-mainframe computer\nprocessing environment: Oracle and Microsoft Standard Query Language (SQL) Server.\nThe Treasury Inspector General for Tax Administration (TIGTA) previously issued an audit\nreport on database security2 in which we reported that the prescribed IRS database security\npolicies adequately aligned with Federal Government guidelines and best practices. However, at\nthat time, we found databases did not fully comply with IRS policy because standard database\nsecurity configurations were poorly communicated, security roles and responsibilities were not\nassigned or carried out, and tests to detect noncompliance were inadequate.\nOur current database security review was performed at the IRS National Headquarters in\nNew Carrollton, Maryland, in the Office of Cybersecurity within the Chief Technology Officer\xe2\x80\x99s\nModernization and Information Technology Services (MITS) organization during the period\nJanuary through October 2010. We conducted this performance audit in accordance with\ngenerally accepted government auditing standards. Those standards require that we plan and\nperform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our\nfindings and conclusions based on our audit objective. We believe that the evidence obtained\nprovides a reasonable basis for our findings and conclusions based on our audit objective.\nDetailed information on our audit objective, scope, and methodology is presented in Appendix I.\nMajor contributors to the report are listed in Appendix II.\n\n1\n 2009 Data Breach Investigations Report, conducted by the Verizon business risk team.\n2\n Standard Database Security Configurations Are Adequate, Although Much Work Is Needed to Ensure Proper\nImplementation (Reference Number 2007-20-129, dated August 22, 2007).\n                                                                                                    Page 1\n\x0c                            Security Over Databases Could Be Enhanced\n                              to Ensure Taxpayer Data Are Protected\n\n\n\n\n                                 Results of Review\n\nProduction Environment Databases Containing Taxpayer Data Were\nNot Configured in a Secure Manner\nThe Internal Revenue Manual (IRM) 10.8.4, Relational Database Management System\n(RDBMS) Security Configurations, provides general security standards for databases and\nrequires that all DBMS installations operated by the IRS shall comply with the provisions of this\nIRM. The IRM states that all requirements detailed in this policy apply to all IRS databases\nregardless of vendor product or version. IRS requirements specific to Oracle Database Server\nand Microsoft SQL Server are covered in individual exhibits.\nWe used database vulnerability assessment software to conduct remote scans of the primary\ndatabases for 13 applications supporting critical tax administration business processes. Of these\n13 applications, ***************************2(f)*********************************.\nWe tailored the scan policies to reflect security configurations set forth by the IRM and found\nhigh- and medium-risk vulnerabilities, as classified by the scanning tool, in each of the\n13 databases in the following security vulnerability categories:\n   \xe2\x80\xa2   The account management control area includes management of individual user account\n       profiles. Vulnerabilities identified in this area included the existence of default or generic\n       accounts and inappropriate password settings.\n   \xe2\x80\xa2   The privilege management control area includes the management of user access to\n       sensitive files and utilities on the database. Vulnerabilities identified in this area included\n       management of powerful administrative privileges that should be assigned according to\n       specific job functions.\n   \xe2\x80\xa2   The operating system protection control area includes management of access to sensitive\n       system files and program code. Vulnerabilities in this area included inappropriate user\n       access to system source code and source code that is not protected by encryption.\nFigure 1 presents the security vulnerabilities identified in each of the 13 database systems on the\napplications reviewed.\n\n\n\n\n                                                                                               Page 2\n\x0c                              Security Over Databases Could Be Enhanced\n                                to Ensure Taxpayer Data Are Protected\n\n\n\n                Figure 1: Number of Security Vulnerabilities Identified In\n                  Each Security Vulnerability Category by Application\n\n                                                Database Security Vulnerability Category\n                                              Account        Privilege    Operating System\n          IRS Application                    Management     Management       Protection\n           ***2(f)***\n                                                     3           2                2\n\n           ***2(f)***                                 4              7           0\n           ***2(f)***                                 7          5               3\n           ***2(f)***\n                                                     3           4                2\n\n          ***2(f)***                                  3          3                0\n          ***2(f)***                                  3          3                1\n          ***2(f)***                                 10          4                1\n           ***2(f)***\n                                                     5           3                0\n\n           ***2(f)***                                5           5                0\n\n           ***2(f)***                                4          10                3\n           ***2(f)***\n                                                     6           4                3\n           ***2(f)***\n                                                     3           3                2\n          ***2(f)***\n                                                     5           5                2\n\n                                   Totals            61         58               19\n Source: TIGTA analysis of automated scan results.\n\nIn several cases, the databases contained the default settings from the previous software\ninstallation or upgrade. When the results of the scans were presented to IRS personnel\nresponsible for management of the databases, management advised us that some of the databases\nwere built prior to the governing IRM database configuration policy and some of the databases\nwere misconfigured as a result of oversight. In addition, management cited one possible\nsystemic cause being that the database scanning technology has not yet been fully deployed\nacross its database environment, which would have allowed database administrators to regularly\nscan and detect database parameter misconfigurations.\n\n                                                                                        Page 3\n\x0c                            Security Over Databases Could Be Enhanced\n                              to Ensure Taxpayer Data Are Protected\n\n\n\nWe also found the IRS has three separate groups within the MITS organization with roles in the\nnon-mainframe database administration environment.\n   1. The Applications Development office has responsibility for the initial database design\n      and development and issues transmittals authorizing changes to the database software\n      when necessary.\n   2. Database administrators in the Enterprise Operations office are responsible for\n      implementing the changes described in the transmittals.\n   3. The Cybersecurity office is responsible for monitoring the configuration of database\n      software and identifying inconsistencies.\nWe believe the lack of database configuration management in the IRS is a direct result of\ndatabase configuration management being a loosely shared responsibility across several\nMITS organization offices. Further, our discussions with IRS officials verified that no single\noffice has the responsibility to ensure IRS databases are configured appropriately, which\nhighlights the need for an approval process for configuring secure settings on databases.\nIn our prior audit, we recommended that the IRS correct database security control weaknesses\nidentified at that time. The IRS agreed with this recommendation and stated that each of the\ndatabase security control weaknesses that the TIGTA identified would be included in the\ncorrective plans of actions and milestones document. However, we reviewed the plans of actions\nand milestones documents from Fiscal Years 2007 and 2008 for those systems tested in the\nprevious audit and could not determine if the weaknesses were entered, addressed, or closed. As\na result, we have no assurance that the previous security weaknesses were corrected.\nExploitation of the security vulnerabilities on databases could result in the unauthorized access to\ntaxpayer information and could ultimately result in identity theft or fraud. Also, if these systems\nwere to be corrupted or disabled, the IRS tax processing system could be adversely affected.\n\nRecommendations\nRecommendation 1: The Chief Technology Officer should ensure the vulnerabilities\nidentified in the 13 systems scanned during the current audit, as well as any other high-risk\nsecurity vulnerabilities identified through automated scans and manual reviews, are remediated.\nOtherwise, a properly approved deviation should be on file to justify departure from stated\nstandards.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The\n       Assistant Chief Information Officer, Cybersecurity, in partnership with the Enterprise\n       Operations organization, plans to 1) ensure the vulnerabilities identified in the 13 systems\n       scanned during the current audit are remediated or documented in a plan of actions and\n       milestones and 2) develop an Enterprise process and remediation strategy to ensure that\n\n                                                                                             Page 4\n\x0c                           Security Over Databases Could Be Enhanced\n                             to Ensure Taxpayer Data Are Protected\n\n\n\n       high-risk vulnerabilities identified during periodic database scans are documented in a\n       plan of actions and milestones.\nRecommendation 2: The Chief Technology Officer should ensure explicit management\napprovals are included in the IRS database configuration building process and the IRS database\nconfiguration change process to ensure that databases are properly configured according to the\nstandards cited in IRM 10.8.4, RDBMS Security Configurations.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The IRS will\n       identify appropriate organizations to develop an explicit management approval process to\n       be used in the database build and configuration change processes to ensure the databases\n       are properly configured.\n\nProduction Environment Databases Were Running Out-of-Date\nDatabase Software That No Longer Receives Security Patches and\nOther Vendor Support\nIRM 10.8.4, RDBMS Security Configurations, states that each organization responsible for the\nmanagement of a database shall ensure that unsupported DBMS software is removed or\nupgraded to a supported version prior to a vendor dropping support and shall ensure a formal\nmigration plan exists for removing or upgrading the DBMS prior to the date the vendor drops\nsecurity patch support. Not having vendor support means the databases are not patched by\nvendors to address newly discovered security vulnerabilities and are vulnerable to attack. As a\nfollow-on requirement to protect the DBMS environment, the IRM also states that database\nadministrators shall ensure the DBMS patch level is current.\nOur analysis of a scan conducted by the IRS in the first quarter of Fiscal Year 2010 showed that,\nof 1,879 databases within the IRS\xe2\x80\x99s production computing environment, 326 (48 percent) of\n676 Oracle databases and 448 (37 percent) of 1,203 SQL databases were running versions of\ndatabase software that were no longer supported by the vendor. Figure 2 presents the Oracle and\nSQL databases reviewed and which versions are no longer supported by the vendors.\n\n\n\n\n                                                                                           Page 5\n\x0c                               Security Over Databases Could Be Enhanced\n                                 to Ensure Taxpayer Data Are Protected\n\n\n\n                            Figure 2: Database Systems by Version\n\n                                           The Number of               Percentage of\n      Software by Version                Database Servers in        Unsupported Versions\n         (out of support                 the IRS Production             Within Each\n      versions are in bold)                 Environment               Database System\n              Oracle 8i                                173                     26%\n              Oracle 9i                                153                     23%\n             Oracle 10g                                343                  Supported\n             Oracle 11g                                 7                   Supported\n    Oracle Total                                       676\n              SQL 2000                                 448                     37%\n              SQL 2005                                 754                  Supported\n              SQL 2008                                   1                  Supported\n    SQL Total                                      1,203\n    Total Database Servers                         1,879\n   Source: TIGTA analysis of automated scan results.\n\nThe overall percentage of unsupported versions for the Oracle database would have been\nsignificantly higher because the Oracle 10g version category includes earlier releases that are no\nlonger supported by the vendor. However, due to limitations of the software used by the IRS to\ncollect the data, our analysis was restricted to only the version level (e.g., 10g) and not the more\ngranular version and release level (e.g., 10g, Release 10.2.0.2).\nIn response to our requests for strategic database plans to address outdated database versions,\nIRS management did not provide any documentation and informed us that while informal\ndiscussions had been held within the Enterprise Operations office regarding the need to migrate\nto currently supported versions, no enterprise-wide actions have been taken. As mentioned in the\nprevious finding, we believe the lack of strategic database management in the IRS is a direct\nresult of database management being a shared responsibility across several IRS offices, including\nthe MITS organization\xe2\x80\x99s Enterprise Operations, Applications Development, and Cybersecurity\noffices, as well as IRS business program management.\nWhen outdated and unsupported database versions are used, the organization is susceptible to\nperformance and security weaknesses inherent to older versions. As shown in Figure 3, we\nfound that 6 of the 13 database systems we selected for detailed testing did not have the current\ncritical patch updates or service pack installed. The *****2(f)*************are potentially at\n\n                                                                                              Page 6\n\x0c                                Security Over Databases Could Be Enhanced\n                                  to Ensure Taxpayer Data Are Protected\n\n\n\nrisk for having between 20 and 193 security vulnerabilities, depending on when the latest patch\nhad been applied. The ***2(f)*************** did not have the current patches applied was at\nrisk for 16 security vulnerabilities.\nFigure 3: Potential Vulnerabilities in Database Systems With Out-of-Date Software\n\n                                                                                               Number of\n                                                                                                Potential\n                                                                                                Security\n                                      Database                                               Vulnerabilities\n          IRS Application              Version             Last Patch Applied               Since Last Patch\n\n                                                        Critical patch update released\n        *****2(f)*****\n1                                 Oracle 10g            in July 2009 applied on                    30\n                                                        November 1, 2009.\n        *****2(f)*****                                  Critical patch update released in\n2                                 Oracle 9i             January 2010 applied                       20\n                                                        on February 28, 2010.\n                                                        Critical patch update released\n        *****2(f)*****\n3                                 Oracle 10g 10.1.0.4   in April 2007 applied on                  193\n                                                        June 3, 2007.\n                                                        Critical patch update released\n        *****2(f)*****\n4                                 Oracle 10g 10.2.0.2   in October 2007 applied on                146\n                                                        October 27, 2007.\n                                                        Critical patch update released in\n5       *****2(f)*****            Oracle 10g 10.2.0.2   October 2007 applied on                   146\n                                                        December 9, 2007.\n        *****2(f)*****                                  Service Pack 4 8.00.2055\n6                                 SQL 2000                                                         16\n                                                        released in February 2009.\nSource: TIGTA analysis of automated scan results.\n\nA critical patch update ***2(f)****** and a service pack **********2(f)****** are bundles of\nsoftware fixes or patches released to provide corrections to weaknesses in operating systems or\nsoftware products. ********************************2(f)***************************\n****************2(f)***********************************************************\n******2(f)************************. Both critical patch updates and service packs address\nsecurity weaknesses that compromise:\n    \xe2\x80\xa2     Data confidentiality \xe2\x80\x93 An attacker is able to view information that he or she should be\n          prevented from viewing.\n    \xe2\x80\xa2     Data integrity \xe2\x80\x93 An attacker is able to modify information that he or she should be\n          prevented from modifying.\n\n\n                                                                                                        Page 7\n\x0c                                  Security Over Databases Could Be Enhanced\n                                    to Ensure Taxpayer Data Are Protected\n\n\n\n    \xe2\x80\xa2    System availability \xe2\x80\x93 An attacker is able to disrupt legitimate use of or access to a\n         system.\nThe IRS acknowledged that these database systems were not running vendor supported software\nand, therefore, could not be patched to current levels. The IRS did not provide evidence to\nsupport its rationale for not updating these sample systems to a current DBMS or that it had\nplanned upgrades to the systems. However, a Cybersecurity office executive shared with us an\nemail from another MITS organization executive on some problems encountered after they\nupgraded the database version of one of the systems we reviewed. The email indicated that the\napplication became unstable and was intermittently operational and nonoperational. To address\nthe problems, they had engaged the vendor and database experts.\nThe IRS advised us that costs to upgrade its database software to currently supported versions\nare difficult to estimate but would primarily consist of the labor costs of full-time equivalents3 to\nimplement needed modifications to existing production applications to achieve compatibility\nwith the newer versions of database software. We believe the IRS could be wasting funds by not\nupgrading or patching its database software that is covered by its enterprise software licenses.\n\nRecommendations\nRecommendation 3: The Chief Technology Officer should ensure an enterprise-wide\nstrategic plan is developed to address the outdated database version management issues prevalent\nin the IRS production environment.\n         Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The IRS\n         Enterprise Services organization will coordinate with the affected stakeholders to develop\n         a strategic plan for obsolescence of technology to include database version control.\nRecommendation 4: The Chief Technology Officer should ensure databases with\nout-of-support DBMS software are upgraded to currently supported versions within a reasonable\ntime period. For those systems where upgrading the database software or implementing security\npatches have been determined to be dangerous to the stability of the system, a migration plan\nshould be developed and a properly approved deviation should be on file to justify departure\nfrom stated standards.\n         Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The\n         Assistant Chief Information Officer, Enterprise Services, will coordinate with affected\n         stakeholders to develop a migration plan to upgrade the database management software to\n         currently supported versions. An inventory of all servers with databases on them and\n\n\n3\n A measure of labor hours in which 1 full-time equivalent is equal to 8 hours multiplied by the number of\ncompensable days in a particular fiscal year. For Fiscal Year 2010, 1 full-time equivalent is equal to 2,088 staff\nhours.\n                                                                                                              Page 8\n\x0c                                Security Over Databases Could Be Enhanced\n                                  to Ensure Taxpayer Data Are Protected\n\n\n\n        their associated software version will be created. Enterprise Services will then outline\n        steps to take to address the versions older than n-1 and install updates accordingly.\n        Enterprise Services will establish on ongoing monitoring of servers and institutionalize a\n        process to keep software current.\n\nComplete Vulnerability Scans of Databases at the Frequency\nRequired by Agency Standards Were Not Being Conducted\nThe National Institute of Standards and Technology\xe2\x80\x99s Special Publication 800-39, Integrated\nEnterprise-Wide Risk Management: Organization, Mission, and Information System View,\nemphasizes the practice of continuous monitoring. It states that a well-designed and\nwell-managed continuous monitoring program can effectively transform an otherwise static\nsecurity control assessment and risk determination process into a dynamic process that provides\nessential, near real-time security status information to appropriate organizational officials. This\ninformation can be used to maintain a current understanding of the security state and risk posture\nof the organization and facilitate appropriate risk mitigation actions.\nAs of October 1, 2009, IRM 10.8.1, Information Technology Security \xe2\x80\x93 Policy and Guidance,\nrequires the IRS to conduct monthly vulnerability scans of its systems that have a high or\nmoderate rating, based on the Federal Information Processing Standards Publication 1994 rating\nof systems. Prior to this date, the IRM required the IRS to scan these systems on a quarterly\nbasis. Also, IRM 10.8.4, RDBMS Security Configurations, requires that all DBMS installations\noperated by the IRS, or operated by an IRS contractor on behalf of the IRS, shall comply with\nthe provisions of this IRM. The IRM states that all requirements detailed in this policy apply to\nall IRS databases, regardless of vendor product or version. IRS requirements specific to Oracle\nDatabase Server and Microsoft SQL Server are covered in individual exhibits.\nIn our August 2007 report, we recommended the Chief Information Officer develop an\nimplementation plan for the organization\xe2\x80\x99s database compliance assessment tool that adequately\ndefines the scope of the databases tested, the requirements to be tested, the timing of tests, and\nthe schedule for implementation. The IRS agreed with this recommendation and stated that it\nwould implement a process for detecting noncompliance with database security requirements. In\nJune 2007, the IRS purchased the Application Security\xe2\x80\x99s DbProtect AppDetective as its database\nvulnerability scanning and compliance assessment tool.\nIn our current review, we found that the implementation plan had been developed but had not\nbeen fully implemented. IRS management explained that they experienced significant technical\n\n\n4\n  Federal Information Processing Standards Publication 199, Standards for Security Categorization of Federal\nInformation and Information Systems, provides standards to be used by all Federal agencies to categorize all\ninformation and information systems collected or maintained by or on behalf of each agency based on the objectives\nof providing appropriate levels of information security according to a range of risk levels.\n                                                                                                          Page 9\n\x0c                            Security Over Databases Could Be Enhanced\n                              to Ensure Taxpayer Data Are Protected\n\n\n\ndifficulties in implementing DbProtect AppDetective as a regular recurring scanning tool for the\nIRS\xe2\x80\x99s database environment. Management stated that the difficulties were due to the many\ndifferent implementations of the database software across the environment. During the period\nApril 2009 to February 2010, we found that the IRS conducted vulnerability scans of only 79 of\nits 1,879 non-mainframe databases. These scans were ad hoc in nature and not part of a formal\ndatabase compliance testing program.\nFurther, when we reviewed the IRS scanning policy against which databases are tested to ensure\nit included tests for controls provided in the IRM standard database configurations, we found the\nIRS scanning policy did not include checks for 42 Oracle and 26 SQL high- and medium-risk\nsecurity settings. We believe the IRS database scanning policy omitted these high- and\nmedium-risk tests because the necessary access privileges had not been established to allow the\ntool to scan these sensitive security settings. Instead, the IRS relied on the results provided by\nthe limited scans. The IRS Cybersecurity office recently began drafting procedures for\nconducting vulnerability scans of its computer environment. These procedures include regularly\nscheduled scans and ad hoc scans that systems stakeholders may request whenever needed.\nIn its MITS organization Cybersecurity Operations: Technical Roadmap, dated August 2007, the\nIRS stated:\n       By exploiting un-patched and un-remediated vulnerabilities in our databases,\n       disgruntled insiders or malicious outsiders may gain unauthorized access to our\n       most sensitive information. Database vulnerabilities exist for several reasons\n       including technological weaknesses, poor security-control implementation, lack\n       of training, and absences of effective oversight. Routine quarterly scans to detect\n       and correct database vulnerabilities and misconfigurations are essential to\n       ensuring the right degree of security diligence is being applied to IRS databases.\nBy not having regular and complete monthly database scans checking for key required parameter\nsettings, the IRS has not met this goal of ensuring security diligence is applied to IRS databases\nand is not proactively identifying insecure databases within its computing environment.\nAs a secondary issue on the database vulnerability scanning tool, we also found that the IRS had\npurchased the DbProtect AppDetective database vulnerability scanning tool without completing\nadequate product evaluation and testing. The National Institute of Standards and Technology\xe2\x80\x99s\nSpecial Publication 800-100, Information Security Handbook: A Guide for Managers, lists the\nfollowing questions that should be posed by an organization prior to the selection of information\nsecurity products.\n   \xe2\x80\xa2   Have policies been developed for the use of products as appropriate?\n   \xe2\x80\xa2   Have operational issues such as daily operation, maintenance, contingency planning,\n       awareness and training, and documentation been considered?\n   \xe2\x80\xa2   Have security requirements been identified and compared against product specifications?\n                                                                                             Page 10\n\x0c                                Security Over Databases Could Be Enhanced\n                                  to Ensure Taxpayer Data Are Protected\n\n\n\n    \xe2\x80\xa2   Have total life cycle support, ease-of-use, scalability, and interoperability requirements\n        been determined?\n    \xe2\x80\xa2   Have test requirements for acceptance and integration testing and configuration\n        management been developed?\nSimilarly, the Control Objectives for Information and Related Technology5 sets forth control\nobjectives for the process of acquiring and maintaining application software. This specific\nguidance recommends mapping business requirements to design specifications for software\nacquisition and taking into account the organization\xe2\x80\x99s technological direction and information\narchitecture. The Control Objectives for Information and Related Technology recommends\nhaving management approve the design specifications to ensure that the high-level design\nresponds to the requirements.\nWhen the IRS Cybersecurity organization licensed Application Security\xe2\x80\x99s DbProtect\nAppDetective database vulnerability assessment software tool in June 2007, the IRS had planned\nto use the tool to conduct regularly scheduled enterprise-wide scans of IRS databases. As\nmentioned previously, this scanning tool was part of the IRS\xe2\x80\x99s corrective actions from our prior\nreview.\nIn our current review, however, we determined the DbProtect AppDetective scanning tool was\nnever fully implemented. In addition to the technical difficulty in implementing the tool, IRS\nmanagement stated they would have incurred significant additional licensing costs to license the\ntool for their International Business Machines (IBM) mainframe database environment. IRS\nmanagement decided upon an alternative action to license another database scanning tool in\nMay 2010, IBM\xe2\x80\x99s Guardium, to replace the DbProtect AppDetective database scanning tool.\nThe IRS justified the alternative procurement stating that Guardium would provide a\ncost-effective vulnerability assessment for the mainframe database environment and real-time\nmonitoring of database servers to enable the IRS to identify any changes made to database\nconfigurations.\nWhen we requested DbProtect AppDetective product evaluation documentation, the IRS could\nnot provide any product evaluation or control testing documentation justifying its licensing of the\nDbProtect AppDetective. We believe a technical evaluation of the product\xe2\x80\x99s ability to satisfy\nIRS requirements, and control testing thereof, would have informed the IRS of the actual costs of\nimplementing the DbProtect AppDetective scanning tool across all database products, including\nits mainframe database environment. Without an adequate product evaluation of the DbProtect\nAppDetective tool, the IRS was not fully aware of the tool\xe2\x80\x99s limitations, including its\n\n\n5\n  The Control Objectives for Information and Related Technology is a complete, internationally accepted process\nframework for information technology that supports business and information technology management in their\ndefinition and achievement of business goals and related information technology goals by providing a\ncomprehensive information technology governance, management, control, and assurance model.\n                                                                                                         Page 11\n\x0c                            Security Over Databases Could Be Enhanced\n                              to Ensure Taxpayer Data Are Protected\n\n\n\napplicability to the IBM mainframe environment. Consequently, the IRS spent more than\n$1.1 million in software licenses and support costs for a tool that was not fully implemented.\n\nRecommendations\nRecommendation 5: The Chief Technology Officer should ensure vulnerability scans of\nIRS databases are conducted in the frequency required by the IRM and any security weakness\nidentified should be corrected or approved for deviation from security policies.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The IRS\n       Cybersecurity organization\xe2\x80\x99s Penetration Testing and Code Analysis group will establish\n       a formal process for conducting monthly agency-wide scans of IRS databases. In\n       addition, the Penetration Testing and Code Analysis group will transmit identified\n       weaknesses to the stakeholders, and the System/Program Owner and Information\n       Systems Security Officer will formulate appropriate remediation actions.\nRecommendation 6: The Chief Technology Officer should ensure database vulnerability\nscans are conducted with the access privileges necessary to test all high- and medium-risk\ndatabase configuration settings.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The IRS\n       Cybersecurity organization\xe2\x80\x99s Penetration Testing and Code Analysis group will establish\n       a Memorandum of Understanding with the Enterprise Operations organization and\n       Systems Owners to ensure database vulnerability scans are conducted with the access\n       privileges necessary to test all high- and medium-risk database configuration settings.\nRecommendation 7: The Chief Technology Officer should ensure a thorough technical\nproduct evaluation and testing of key functional requirements is consistently conducted and\ndocumented for the acquisition of software products.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The IRS has\n       established Product Selection Guidance and has controls in place for technical product\n       evaluation and testing of key functional requirements. The Change Control governance\n       process ensures thorough product evaluation and testing has been completed prior to\n       product acquisition following the Product Evaluation and Selection Guidance. In\n       addition, a centralized repository exists documenting all change requests and their\n       disposition. The IRS can create/designate a location to ensure all Product Evaluation and\n       Selection and testing documentation is stored or accessible from a centralized location.\n       Office of Audit Comment: IRS did not agree with the Outcome Measure (see\n       Appendix IV) relating to the purchase of the DbProtect AppDetective software tool. In\n       its response, the IRS stated that DbProtect AppDetective was the best available tool at the\n       time of the purchase, met the immediate needs for a database vulnerability scanning\n       capability in response to TIGTA\xe2\x80\x99s audit recommendation, and was put into production\n\n                                                                                          Page 12\n\x0c                                Security Over Databases Could Be Enhanced\n                                  to Ensure Taxpayer Data Are Protected\n\n\n\n        use. The IRS also stated that ongoing costs and business requirements were the main\n        reasons for changing to a new database scanning tool. We disagree that the tool was\n        purchased in response to an audit recommendation. The IRS purchased DbProtect\n        AppDetective in June 2007, and the previous audit report was issued in August 2007. In\n        addition, the report contained a recommendation that IRS develop a formal\n        implementation plan for the tool, which IRS agreed to but never completed. We also\n        disagree that DbProtect AppDetective was put into production use. As noted in the\n        finding, the IRS conducted scans of only 79 of its 1,879 non-mainframe databases from\n        April 2009 to February 2010. After preliminary discussions with IRS management, the\n        outcome measure was adjusted to reflect this limited use of the tool. No further\n        adjustment to Appendix IV was made.\n\nOther Issues From the Prior Audit Report Were Adequately Addressed\nAs part of this review, we followed up on the IRS\xe2\x80\x99s corrective actions to the seven\nrecommendations from our prior report and determined that corrective actions for all seven\nrecommendations were taken and each of the corrective actions was reported as closed on the\nJoint Audit Management Enterprise System.6 Specifically, our followup work determined that\nthe IRS had:\n    \xe2\x80\xa2   Adequately publicized the standard database configurations.\n    \xe2\x80\xa2   Ensured internal web sites referred to the Cybersecurity office\xe2\x80\x99s web site for current\n        security configurations.\n    \xe2\x80\xa2   Ensured security administration responsibilities were properly assigned.\n    \xe2\x80\xa2   Ensured employees are aware of their database security responsibilities.\n    \xe2\x80\xa2   Ensured that security testing evaluates compliance with standard database security\n        configurations.\nHowever, we identified database weaknesses had not been adequately addressed prior to their\nclosure on the Joint Audit Management Enterprise System for two recommendations.\n    \xe2\x80\xa2   The Chief Information Officer should ensure the database security control weaknesses we\n        identified are corrected.\n    \xe2\x80\xa2   The Chief Information Officer should develop an implementation plan for the\n        organization\xe2\x80\x99s database compliance assessment tool that adequately defines the scope of\n\n\n\n6\n  The system used by the Department of the Treasury to record and monitor audit findings and corrective actions\ntaken to address findings from audit reports.\n                                                                                                          Page 13\n\x0c                            Security Over Databases Could Be Enhanced\n                              to Ensure Taxpayer Data Are Protected\n\n\n\n       the databases tested, the requirements to be tested, the timing of the tests, and the\n       schedule for implementation.\nBoth of these two remaining corrective actions are mentioned within the context of the current\nfindings identified during the course of this review.\n\n\n\n\n                                                                                               Page 14\n\x0c                                Security Over Databases Could Be Enhanced\n                                  to Ensure Taxpayer Data Are Protected\n\n\n\n                                                                                               Appendix I\n\n         Detailed Objective, Scope, and Methodology\n\nThe overall objective of this review was to determine whether the IRS adequately configured\ndatabases operating in its non-mainframe production environment to properly secure taxpayer\ndata. We also assessed the IRS\xe2\x80\x99s progress in implementing corrective actions reported during\nour prior audit.1\nWe selected an initial sample of 20 primary production databases for detailed testing from the\ntotal IRS environment of 226 applications.2 We used a judgmental sample to ensure we\nconducted detailed testing on applications that are considered high impact in the IRS. These\ndatabases were selected according to the following criteria in order of importance: applications\nclassified as major applications according to criteria provided by Federal Information Processing\nStandards Publication 199, applications that process Sensitive but Unclassified data, and\napplications that use Oracle or Microsoft SQL as the database management software. To\naccomplish our objective, we:\nI.      Assessed the adequacy of IRS database strategic planning and database security policies.\n        A. Obtained and reviewed the IRS\xe2\x80\x99s strategic database planning documents regarding\n           DBMS program products and versions. We commented on the reasonableness of the\n           plan in terms of the number of supported program products, plans to migrate from\n           out-of-support products, and plans to roll out newer versions of vendor supported\n           program products.\n        B. Reviewed assigned roles and responsibilities for database security (e.g., who develops\n           configuration policy, who implements configuration policy, and who monitors\n           compliance with database configuration policy) to ensure roles and responsibilities\n           are adequately defined. We verified that duties to implement configuration policy\n           and monitor compliance with database configuration policy are appropriately\n           segregated.\n        C. Determined, as a followup to our prior audit, whether database administrators are\n           assigned for the SQL and Oracle databases that were included in our current sample\n           for detailed testing. We also determined if security specialist roles are assigned for\n           the databases that were included in our sample for detailed testing.\n\n1\n  Standard Database Security Configurations Are Adequate, Although Much Work Is Needed to Ensure Proper\nImplementation (Reference Number 2007-20-129, dated August 22, 2007).\n2\n  Seven of the 20 databases were removed from the sample due to technical issues experienced when conducting the\nscans.\n                                                                                                       Page 15\n\x0c                           Security Over Databases Could Be Enhanced\n                             to Ensure Taxpayer Data Are Protected\n\n\n\n       D. Validated, as a followup to our prior audit, processes in place to ensure employees are\n          aware of their database security responsibilities.\n       E. Conducted an updated review of the Oracle and SQL database policies that changed\n          since our last review.\n       F. Verified whether approved IRS IRM database policy exists for versions of database\n          management products executing in the IRS non-mainframe production environment.\n       G. Interviewed database management personnel to determine reasons for any variance\n          from the standards.\nII.    Assessed the adequacy of IRS configuration management processes over its databases.\n       A. Reviewed the inventory management, version management, database configuration\n          parameters, database configuration parameter change control, and patch management\n          processes.\n       B. Interviewed database management personnel to determine reasons for any variance\n          from the standards.\nIII.   Assessed the effectiveness of IRS database identification and authentication controls.\n       A. Reviewed the authentication method that the IRS chose for installation of its database\n          software to ensure the authentication method adheres to IRS minimum security\n          requirements in IRM 10.8.4, RDBMS Security Configurations.\n       B. Determined whether the recommended authentication methods were being used.\n       C. Interviewed database management personnel to determine reasons for any variance\n          from the standards.\nIV.    Determined whether adequate database access and authorization controls were in place\n       by using the DbProtect AppDetective scanning tool to verify security settings.\n       A. Compared IRS IRM database security policies to the IRS\xe2\x80\x99s customized DbProtect\n          AppDetective policy to verify existence of and agreement for key parameter settings.\n       B. Conducted DbProtect AppDetective scans in the control areas of account\n          management, privilege management, trusted link management, operating system\n          protection, network access, and remote management for the sample databases to\n          ensure the database parameters and settings were appropriate, according to guidance\n          provided in IRM 10.8.4, RDBMS Security Configurations.\n       C. Interviewed database management personnel to determine reasons for any variance\n          from the standards.\n\n\n\n                                                                                         Page 16\n\x0c                           Security Over Databases Could Be Enhanced\n                             to Ensure Taxpayer Data Are Protected\n\n\n\nV.     Assessed the adequacy of IRS vulnerability management over its databases.\n       A. Verified, as a followup to our prior audit, whether the database security control\n          weaknesses that TIGTA identified were corrected.\n       B. Verified, as a followup to our prior audit, whether annual security testing evaluates\n          compliance with standard database security configurations.\n       C. Verified, as a followup to our prior audit, whether the IRS had established an\n          appropriate database compliance testing process, including evaluating the database\n          scanning tool used and defining the scope of the databases tested, the requirements to\n          be tested, the timing of the tests, and the schedule for implementation.\n       D. Determined the actual frequency of database scans for a recent 6-month period.\n       E. Determined whether high- and medium-priority database vulnerabilities were\n          properly managed and mitigated in a timely manner for a recent 3-month period.\n       F. Interviewed database management personnel to determine reasons for any variance\n          from the standards. If applicable, we obtained and reviewed any waiver or other\n          documentation justifying the variance from standards.\nVI.    Assessed the adequacy of database security awareness and training.\n       A. Reviewed and verified, as a followup to our prior audit, whether security\n          documentation is publicized to Database Administrators and Systems Administrators.\n       B. Verified, as a followup to our prior audit, whether the IRS Cybersecurity office\xe2\x80\x99s\n          intranet site refers to the current security configurations.\n       C. Reviewed a list of Database Administrators and associated specialized database\n          security training they have received over the last 3 to 5 years.\n       D. Interviewed database management personnel to determine reasons for any variance\n          from the standards.\nInternal controls methodology\nInternal controls relate to management\xe2\x80\x99s plans, methods, and procedures used to meet their\nmission, goals, and objectives. Internal controls include the processes and procedures for\nplanning, organizing, directing, and controlling program operations. They include the systems\nfor measuring, reporting, and monitoring program performance. We determined the following\ninternal controls were relevant to our audit objective: IRS Enterprise Operations policies and\nprocedures for managing the configuration of its database systems, including patch and\nvulnerability management. We evaluated these controls by conducting vulnerability scans of the\ndatabase systems, comparing the results of those scans to standards established by the IRS in its\nIRM, and also interviewing management responsible for those systems.\n\n                                                                                          Page 17\n\x0c                          Security Over Databases Could Be Enhanced\n                            to Ensure Taxpayer Data Are Protected\n\n\n\n                                                                              Appendix II\n\n                 Major Contributors to This Report\n\nAlan Duncan, Assistant Inspector General for Audit (Security and Information Technology\nServices)\nKent Sagara, Director\nCarol Taylor, Audit Manager\nMyron Gulley, Lead Auditor\nLouis Lee, Senior Auditor\nElton Jewell, Information Technology Specialist\nMonique Queen, Information Technology Specialist\n\n\n\n\n                                                                                     Page 18\n\x0c                         Security Over Databases Could Be Enhanced\n                           to Ensure Taxpayer Data Are Protected\n\n\n\n                                                                       Appendix III\n\n                         Report Distribution List\n\nCommissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Operations Support OS\nAssociate Chief Information Officer, Cybersecurity OS:CTO:C\nAssociate Chief Information Officer, Enterprise Operations OS:CTO:EO\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Control OS:CFO:CPIC:IC\nAudit Liaison: Director, Risk Management OS:CTO:SP:RM\n\n\n\n\n                                                                             Page 19\n\x0c                           Security Over Databases Could Be Enhanced\n                             to Ensure Taxpayer Data Are Protected\n\n\n\n                                                                                Appendix IV\n\n                                Outcome Measure\n\nThis appendix presents detailed information on the measurable impact that our recommended\ncorrective action will have on tax administration. This benefit will be incorporated into our\nSemiannual Report to Congress.\n\nType and Value of Outcome Measure:\nInefficient Use of Resources \xe2\x80\x93 Actual; $1,113,850 ($1,160,260 * 96 percent) (see page 9).\n\nMethodology Used to Measure the Reported Benefit:\nIn June 2007, the IRS purchased the license for the DbProtect AppDetective vulnerability\nscanning tool for $1,160,260 to address the need for formally scheduled scans of IRS databases\nto ensure appropriate security configurations are maintained. However, we determined the tool\nwas never fully implemented. In addition to significant technical difficulty in implementing the\ntool, IRS management stated that it would have incurred significant additional costs to license\nthe tool for its IBM mainframe database environment. The IRS then decided to pursue the\npurchase of another tool that could be implemented across its entire computing environment.\nWe noted that IRS used the tool to complete scans for only 79 (4 percent) of the 1,879 databases\nwithin its enterprise that it had expected to complete. To calculate the cost of the tool, we\nmultiplied the total cost ($1,160,260) by the percentage of databases that were not scanned by\nthe tool (96 percent), with the result of $1,113,850.\n\n\n\n\n                                                                                         Page 20\n\x0c         Security Over Databases Could Be Enhanced\n           to Ensure Taxpayer Data Are Protected\n\n\n\n                                                Appendix V\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                     Page 21\n\x0cSecurity Over Databases Could Be Enhanced\n  to Ensure Taxpayer Data Are Protected\n\n\n\n\n                                            Page 22\n\x0cSecurity Over Databases Could Be Enhanced\n  to Ensure Taxpayer Data Are Protected\n\n\n\n\n                                            Page 23\n\x0cSecurity Over Databases Could Be Enhanced\n  to Ensure Taxpayer Data Are Protected\n\n\n\n\n                                            Page 24\n\x0cSecurity Over Databases Could Be Enhanced\n  to Ensure Taxpayer Data Are Protected\n\n\n\n\n                                            Page 25\n\x0c'